Mikrotik Packet Sniffer to Security Onion

You’ll need tzsp2pcap, git, and some development libraries.

Configure on Mikrotik Router

  1. Winbox > Tools > Packet Sniffer.
  2. Enable Streaming server (insert IP address of your Security Onion Management interface)
  3. Enable Filter Stream.
  4. Ensure interfaces are selected that you want to “tap”.
  5. Start the packet sniffer.

Configure on Security Onion

  1. sudo ufw allow 37008
  2. sudo apt install git build-essential libpcap0.8-dev
  3. git clone h[tt]ps://github.com/thefloweringash/tzsp2pcap.git
  4. make
  5. sudo cp tzsp2pcap /usr/local/bin
  6. sudo tzsp2pcap -vv -f | sudo tcpreplay --topspeed -i <capture interface> -

You will now be capturing traffic from your selected Mikrotik interfaces and dumping it to your Security Onion capture interface.

An excellent use case for this is monitoring your wireless network (if using a combination wireless and wired router) or other interfaces such as PPoE or VPN tunnels that might not otherwise be tapped without additional hardware.

Note that this can have severe impact to the performance of your Mikrotik device. The more interfaces you choose to sniff, the more processing overhead when those interfaces become loaded with traffic. As an example, a Mikrotik RB2011 loaded with 50Mbit of ethernet traffic from a total of three sniffed interfaces maxed the CPU (“overlocked” to 750MHz) at 100% and started severly impacting other services running on the device.